@simonsbs/keylore 1.0.0-rc4

package/dist/repositories/pg-credential-repository.js

@@ -0,0 +1,163 @@
+import { createCredentialInputSchema, credentialRecordSchema, updateCredentialInputSchema, } from "../domain/types.js";
+function mapRow(row) {
+    return credentialRecordSchema.parse({
+        id: row.id,
+        tenantId: row.tenant_id,
+        displayName: row.display_name,
+        service: row.service,
+        owner: row.owner,
+        scopeTier: row.scope_tier,
+        sensitivity: row.sensitivity,
+        allowedDomains: row.allowed_domains,
+        permittedOperations: row.permitted_operations,
+        expiresAt: row.expires_at instanceof Date ? row.expires_at.toISOString() : row.expires_at,
+        rotationPolicy: row.rotation_policy,
+        lastValidatedAt: row.last_validated_at instanceof Date
+            ? row.last_validated_at.toISOString()
+            : row.last_validated_at,
+        selectionNotes: row.selection_notes,
+        binding: row.binding,
+        tags: row.tags,
+        status: row.status,
+    });
+}
+function makeSearchClauses(input) {
+    const conditions = [];
+    const params = [];
+    const push = (sql, value) => {
+        params.push(value);
+        conditions.push(sql.replace("$?", `$${params.length}`));
+    };
+    if (input.query) {
+        params.push(input.query);
+        const placeholder = `$${params.length}`;
+        conditions.push(`(id ILIKE '%' || ${placeholder} || '%' OR display_name ILIKE '%' || ${placeholder} || '%' OR service ILIKE '%' || ${placeholder} || '%' OR owner ILIKE '%' || ${placeholder} || '%' OR selection_notes ILIKE '%' || ${placeholder} || '%')`);
+    }
+    if (input.service) {
+        push("service = $?", input.service);
+    }
+    if (input.owner) {
+        push("owner = $?", input.owner);
+    }
+    if (input.scopeTier) {
+        push("scope_tier = $?", input.scopeTier);
+    }
+    if (input.sensitivity) {
+        push("sensitivity = $?", input.sensitivity);
+    }
+    if (input.status) {
+        push("status = $?", input.status);
+    }
+    if (input.tag) {
+        push("$? = ANY(tags)", input.tag);
+    }
+    const clause = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+    return { clause, params };
+}
+export class PgCredentialRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async ensureInitialized() {
+        await this.database.healthcheck();
+    }
+    async list() {
+        const result = await this.database.query(`SELECT * FROM credentials ORDER BY id ASC`);
+        return result.rows.map(mapRow);
+    }
+    async count() {
+        const result = await this.database.query("SELECT COUNT(*)::text AS count FROM credentials");
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async getById(id) {
+        const result = await this.database.query("SELECT * FROM credentials WHERE id = $1", [id]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async search(input) {
+        const { clause, params } = makeSearchClauses(input);
+        const limitPlaceholder = `$${params.length + 1}`;
+        const result = await this.database.query(`SELECT * FROM credentials ${clause} ORDER BY id ASC LIMIT ${limitPlaceholder}`, [...params, input.limit]);
+        return result.rows.map(mapRow);
+    }
+    async create(record) {
+        const parsed = createCredentialInputSchema.parse(record);
+        await this.database.query(`INSERT INTO credentials (
+        id, tenant_id, display_name, service, owner, scope_tier, sensitivity,
+        allowed_domains, permitted_operations, expires_at, rotation_policy,
+        last_validated_at, selection_notes, binding, tags, status
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7,
+        $8, $9, $10, $11,
+        $12, $13, $14::jsonb, $15, $16
+      )`, [
+            parsed.id,
+            parsed.tenantId,
+            parsed.displayName,
+            parsed.service,
+            parsed.owner,
+            parsed.scopeTier,
+            parsed.sensitivity,
+            parsed.allowedDomains,
+            parsed.permittedOperations,
+            parsed.expiresAt,
+            parsed.rotationPolicy,
+            parsed.lastValidatedAt,
+            parsed.selectionNotes,
+            JSON.stringify(parsed.binding),
+            parsed.tags,
+            parsed.status,
+        ]);
+        return parsed;
+    }
+    async update(id, patch) {
+        const parsedPatch = updateCredentialInputSchema.parse(patch);
+        const current = await this.getById(id);
+        if (!current) {
+            throw new Error(`Credential ${id} was not found.`);
+        }
+        const merged = createCredentialInputSchema.parse({
+            ...current,
+            ...parsedPatch,
+            id,
+        });
+        await this.database.query(`UPDATE credentials SET
+        display_name = $2,
+        service = $3,
+        owner = $4,
+        scope_tier = $5,
+        sensitivity = $6,
+        allowed_domains = $7,
+        permitted_operations = $8,
+        expires_at = $9,
+        rotation_policy = $10,
+        last_validated_at = $11,
+        selection_notes = $12,
+        binding = $13::jsonb,
+        tags = $14,
+        status = $15,
+        updated_at = NOW()
+      WHERE id = $1`, [
+            merged.id,
+            merged.displayName,
+            merged.service,
+            merged.owner,
+            merged.scopeTier,
+            merged.sensitivity,
+            merged.allowedDomains,
+            merged.permittedOperations,
+            merged.expiresAt,
+            merged.rotationPolicy,
+            merged.lastValidatedAt,
+            merged.selectionNotes,
+            JSON.stringify(merged.binding),
+            merged.tags,
+            merged.status,
+        ]);
+        return merged;
+    }
+    async delete(id) {
+        const result = await this.database.query("DELETE FROM credentials WHERE id = $1", [id]);
+        return (result.rowCount ?? 0) > 0;
+    }
+}

package/dist/repositories/pg-oauth-client-assertion-repository.js

@@ -0,0 +1,25 @@
+export class PgOAuthClientAssertionRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async register(clientId, jti, expiresAt) {
+        try {
+            await this.database.query(`INSERT INTO oauth_client_assertion_jtis (client_id, jti, expires_at)
+         VALUES ($1, $2, $3)`, [clientId, jti, expiresAt]);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async cleanup() {
+        const result = await this.database.query(`WITH deleted AS (
+         DELETE FROM oauth_client_assertion_jtis
+         WHERE expires_at <= NOW()
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM deleted`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}

package/dist/repositories/pg-policy-repository.js

@@ -0,0 +1,62 @@
+import { policyFileSchema } from "../domain/types.js";
+function mapRow(row) {
+    return {
+        id: row.id,
+        tenantId: row.tenant_id,
+        effect: row.effect,
+        description: row.description,
+        principals: row.principals,
+        principalRoles: row.principal_roles ?? undefined,
+        credentialIds: row.credential_ids ?? undefined,
+        services: row.services ?? undefined,
+        operations: row.operations,
+        domainPatterns: row.domain_patterns,
+        environments: row.environments ?? undefined,
+    };
+}
+export class PgPolicyRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async ensureInitialized() {
+        await this.database.healthcheck();
+    }
+    async read() {
+        const result = await this.database.query("SELECT * FROM policy_rules ORDER BY id ASC");
+        return policyFileSchema.parse({
+            version: 1,
+            rules: result.rows.map(mapRow),
+        });
+    }
+    async replaceAll(file) {
+        const parsed = policyFileSchema.parse(file);
+        await this.database.withTransaction(async (client) => {
+            await client.query("DELETE FROM policy_rules");
+            for (const rule of parsed.rules) {
+                await client.query(`INSERT INTO policy_rules (
+            id, tenant_id, effect, description, principals, principal_roles, credential_ids, services,
+            operations, domain_patterns, environments
+          ) VALUES (
+            $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
+          )`, [
+                    rule.id,
+                    rule.tenantId,
+                    rule.effect,
+                    rule.description,
+                    rule.principals,
+                    rule.principalRoles ?? null,
+                    rule.credentialIds ?? null,
+                    rule.services ?? null,
+                    rule.operations,
+                    rule.domainPatterns,
+                    rule.environments ?? null,
+                ]);
+            }
+        });
+    }
+    async count() {
+        const result = await this.database.query("SELECT COUNT(*)::text AS count FROM policy_rules");
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}

package/dist/repositories/pg-refresh-token-repository.js

@@ -0,0 +1,125 @@
+import { randomUUID } from "node:crypto";
+import { refreshTokenRecordSchema, } from "../domain/types.js";
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    const record = refreshTokenRecordSchema.parse({
+        refreshTokenId: row.refresh_token_id,
+        clientId: row.client_id,
+        tenantId: row.tenant_id,
+        subject: row.subject,
+        scopes: row.scopes,
+        roles: row.roles,
+        resource: row.resource ?? undefined,
+        expiresAt: toIso(row.expires_at),
+        status: row.status,
+        createdAt: toIso(row.created_at),
+        lastUsedAt: toIso(row.last_used_at),
+    });
+    return {
+        ...record,
+        tokenHash: row.token_hash,
+    };
+}
+export class PgRefreshTokenRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async issue(input) {
+        await this.database.query(`INSERT INTO refresh_tokens (
+        refresh_token_id, token_hash, client_id, tenant_id, subject, scopes, roles, resource, expires_at, status
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7, $8, $9, 'active'
+      )`, [
+            randomUUID(),
+            input.tokenHash,
+            input.clientId,
+            input.tenantId,
+            input.subject,
+            input.scopes,
+            input.roles,
+            input.resource ?? null,
+            input.expiresAt,
+        ]);
+    }
+    async getByHash(tokenHash) {
+        const result = await this.database.query("SELECT * FROM refresh_tokens WHERE token_hash = $1", [tokenHash]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async getById(refreshTokenId) {
+        const result = await this.database.query("SELECT * FROM refresh_tokens WHERE refresh_token_id = $1", [refreshTokenId]);
+        if (!result.rows[0]) {
+            return undefined;
+        }
+        const { tokenHash: _tokenHash, ...record } = mapRow(result.rows[0]);
+        return record;
+    }
+    async touch(tokenHash) {
+        await this.database.query("UPDATE refresh_tokens SET last_used_at = NOW() WHERE token_hash = $1", [tokenHash]);
+    }
+    async list(filter) {
+        const clauses = [];
+        const values = [];
+        if (filter?.clientId) {
+            values.push(filter.clientId);
+            clauses.push(`client_id = $${values.length}`);
+        }
+        if (filter?.status) {
+            values.push(filter.status);
+            clauses.push(`status = $${values.length}`);
+        }
+        if (filter?.tenantId) {
+            values.push(filter.tenantId);
+            clauses.push(`tenant_id = $${values.length}`);
+        }
+        const where = clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : "";
+        const result = await this.database.query(`SELECT * FROM refresh_tokens ${where} ORDER BY created_at DESC`, values);
+        return result.rows.map((row) => {
+            const { tokenHash: _tokenHash, ...record } = mapRow(row);
+            return record;
+        });
+    }
+    async expireStale() {
+        const result = await this.database.query(`WITH expired AS (
+         UPDATE refresh_tokens
+         SET status = 'revoked'
+         WHERE status = 'active' AND expires_at <= NOW()
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM expired`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async revokeById(refreshTokenId) {
+        const result = await this.database.query(`UPDATE refresh_tokens
+       SET status = 'revoked'
+       WHERE refresh_token_id = $1 AND status = 'active'
+       RETURNING *`, [refreshTokenId]);
+        if (!result.rows[0]) {
+            return undefined;
+        }
+        const { tokenHash: _tokenHash, ...record } = mapRow(result.rows[0]);
+        return record;
+    }
+    async revokeByClientId(clientId) {
+        const result = await this.database.query(`WITH revoked AS (
+         UPDATE refresh_tokens
+         SET status = 'revoked'
+         WHERE client_id = $1 AND status = 'active'
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM revoked`, [clientId]);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async replace(tokenHash, replacedByTokenId) {
+        const result = await this.database.query(`UPDATE refresh_tokens
+       SET status = 'revoked', replaced_by_token_id = $2, last_used_at = NOW()
+       WHERE token_hash = $1 AND status = 'active'
+       RETURNING *`, [tokenHash, replacedByTokenId]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+}

package/dist/repositories/pg-rotation-run-repository.js

@@ -0,0 +1,127 @@
+import { rotationRunSchema } from "../domain/types.js";
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    return rotationRunSchema.parse({
+        id: row.id,
+        tenantId: row.tenant_id,
+        credentialId: row.credential_id,
+        status: row.status,
+        source: row.source,
+        reason: row.reason,
+        dueAt: toIso(row.due_at),
+        plannedAt: toIso(row.planned_at),
+        startedAt: toIso(row.started_at),
+        completedAt: toIso(row.completed_at),
+        plannedBy: row.planned_by,
+        updatedBy: row.updated_by,
+        note: row.note ?? undefined,
+        targetRef: row.target_ref ?? undefined,
+        resultNote: row.result_note ?? undefined,
+    });
+}
+export class PgRotationRunRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async create(input) {
+        const parsed = rotationRunSchema.parse(input);
+        const result = await this.database.query(`INSERT INTO rotation_runs (
+         id, tenant_id, credential_id, status, source, reason, due_at, planned_at, started_at,
+         completed_at, planned_by, updated_by, note, target_ref, result_note
+       ) VALUES (
+         $1, $2, $3, $4, $5, $6, $7, $8, $9,
+         $10, $11, $12, $13, $14, $15
+       )
+       RETURNING *`, [
+            parsed.id,
+            parsed.tenantId,
+            parsed.credentialId,
+            parsed.status,
+            parsed.source,
+            parsed.reason,
+            parsed.dueAt ?? null,
+            parsed.plannedAt,
+            parsed.startedAt ?? null,
+            parsed.completedAt ?? null,
+            parsed.plannedBy,
+            parsed.updatedBy,
+            parsed.note ?? null,
+            parsed.targetRef ?? null,
+            parsed.resultNote ?? null,
+        ]);
+        return mapRow(result.rows[0]);
+    }
+    async getById(id) {
+        const result = await this.database.query("SELECT * FROM rotation_runs WHERE id = $1", [id]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async list(filter) {
+        const clauses = [];
+        const params = [];
+        if (filter?.status) {
+            params.push(filter.status);
+            clauses.push(`status = $${params.length}`);
+        }
+        if (filter?.credentialId) {
+            params.push(filter.credentialId);
+            clauses.push(`credential_id = $${params.length}`);
+        }
+        if (filter?.tenantId) {
+            params.push(filter.tenantId);
+            clauses.push(`tenant_id = $${params.length}`);
+        }
+        const whereClause = clauses.length ? `WHERE ${clauses.join(" AND ")}` : "";
+        const result = await this.database.query(`SELECT * FROM rotation_runs ${whereClause} ORDER BY planned_at DESC, id DESC`, params);
+        return result.rows.map((row) => mapRow(row));
+    }
+    async findOpenByCredentialId(credentialId) {
+        const result = await this.database.query(`SELECT * FROM rotation_runs
+       WHERE credential_id = $1
+         AND status IN ('pending', 'in_progress')
+       ORDER BY planned_at DESC
+       LIMIT 1`, [credentialId]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async transition(id, update) {
+        return this.database.withTransaction(async (client) => {
+            const existingResult = await client.query("SELECT * FROM rotation_runs WHERE id = $1 FOR UPDATE", [id]);
+            const existing = existingResult.rows[0];
+            if (!existing || !update.fromStatuses.includes(existing.status)) {
+                return undefined;
+            }
+            const startedAt = update.status === "in_progress"
+                ? new Date().toISOString()
+                : toIso(existing.started_at) ?? null;
+            const completedAt = update.status === "completed" || update.status === "failed" || update.status === "cancelled"
+                ? new Date().toISOString()
+                : null;
+            const result = await client.query(`UPDATE rotation_runs
+         SET status = $2,
+             started_at = $3,
+             completed_at = $4,
+             updated_by = $5,
+             note = COALESCE($6, note),
+             target_ref = COALESCE($7, target_ref),
+             result_note = COALESCE($8, result_note),
+             updated_at = NOW()
+         WHERE id = $1
+         RETURNING *`, [
+                id,
+                update.status,
+                startedAt,
+                completedAt,
+                update.updatedBy,
+                update.note ?? null,
+                update.targetRef ?? null,
+                update.resultNote ?? null,
+            ]);
+            return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+        });
+    }
+}

package/dist/repositories/pg-tenant-repository.js

@@ -0,0 +1,56 @@
+import { tenantRecordSchema } from "../domain/types.js";
+function toIso(value) {
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    return tenantRecordSchema.parse({
+        tenantId: row.tenant_id,
+        displayName: row.display_name,
+        description: row.description ?? undefined,
+        status: row.status,
+        createdAt: toIso(row.created_at),
+        updatedAt: toIso(row.updated_at),
+    });
+}
+export class PgTenantRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async ensureInitialized() {
+        await this.database.healthcheck();
+    }
+    async list() {
+        const result = await this.database.query("SELECT * FROM tenants ORDER BY tenant_id ASC");
+        return result.rows.map(mapRow);
+    }
+    async getById(tenantId) {
+        const result = await this.database.query("SELECT * FROM tenants WHERE tenant_id = $1", [tenantId]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async create(input) {
+        const result = await this.database.query(`INSERT INTO tenants (tenant_id, display_name, description, status)
+       VALUES ($1, $2, $3, $4)
+       RETURNING *`, [input.tenantId, input.displayName, input.description ?? null, input.status]);
+        return mapRow(result.rows[0]);
+    }
+    async update(tenantId, patch) {
+        const existing = await this.getById(tenantId);
+        if (!existing) {
+            return undefined;
+        }
+        const result = await this.database.query(`UPDATE tenants
+       SET display_name = $2,
+           description = $3,
+           status = $4,
+           updated_at = NOW()
+       WHERE tenant_id = $1
+       RETURNING *`, [
+            tenantId,
+            patch.displayName ?? existing.displayName,
+            patch.description ?? existing.description ?? null,
+            patch.status ?? existing.status,
+        ]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+}

package/dist/repositories/policy-repository.js

@@ -0,0 +1,24 @@
+import { policyFileSchema } from "../domain/types.js";
+import { readTextFile, writeTextFile } from "./json-file.js";
+export class JsonPolicyRepository {
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath;
+    }
+    async ensureInitialized() {
+        const text = await readTextFile(this.filePath);
+        if (text) {
+            policyFileSchema.parse(JSON.parse(text));
+            return;
+        }
+        const emptyPolicy = { version: 1, rules: [] };
+        await writeTextFile(this.filePath, `${JSON.stringify(emptyPolicy, null, 2)}\n`);
+    }
+    async read() {
+        const text = await readTextFile(this.filePath);
+        if (!text) {
+            return { version: 1, rules: [] };
+        }
+        return policyFileSchema.parse(JSON.parse(text));
+    }
+}